sr-dev January 2015

sr-dev@lists.kamailio.org

38 participants
530 discussions

[kamailio] multiple /tmp file vulnerabilities (#48)

by Victor Seva

Reported by: Helmut Grohne <helmut(a)subdivi.de> The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which can be selected via the CFGFILE= setting in /etc/default/kamailio. The configuration contains: ``` modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo") ``` This setting is insecure and may allow local users to elevate privileges to the kamailio user. The issue extends to kamailio-advanced.cfg. It seems that this is due to an incomplete fix of #712083. Looking further, the state of /tmp file vulnerabilities in kamailio looks worrisome. Most of the results of the following command (to be executed in the kamailio source) are likely vulnerable if executed: ``` grep '/tmp/[a-z0-9_.-]\+$\$\$$\?$[" ]\|$$' -r . ``` Granted, some of the results are examples, documentation or obsolete. But quite a few reach the default settings: * kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl. * The kamailio build definitely is vulnerable as can be seen in utils/kamctl/Makefile. More research clearly is required here. Given these findings, the security team may want to veto the inclusion of kamailio in a stable release, which would be very unfortunate as kamailio is quite a unique piece of software with little competitors in its field. Helmut https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775681 --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48

9 years, 6 months

TM possible deadlock

by Jason Penton

Hi All, I have been experiencing a deadlock when a timeout occurs on a t_relayed() INVITE. Going through the code I have noticed a possible chance of deadlock (without re-entrant enabled). Here is my thinking: t_should_relay_response() is called with REPLY_LOCK when the timer process fires on the fr_inv_timer (no response from the INVITE that was relayed, other than 100 provisional) and a 408 is generated. However, from within that function there are calls to run_failure_handlers() which in turn *could* try and lock the reply (viz. somebody having a t_reply() call in the cfg file - in failure route block). This would result in another lock on the same transaction's REPLY_LOCK.... Has anybody else experienced something like this? this is on master btw. Cheers Jason

9 years, 7 months

[kamailio] Implement method to selectively disable MSILO offline notification (#61)

by Anthony Messina

If Kamailio is globally configured to send offline notification replies using `modparam("msilo", "from_address", "sip:$rU@example.com")`, there is currently no way to disable the offline notification reply during script processing. For example, a scenario where you might want to store the original MESSAGE but not send the offline notification reply is when you are also using the IMC module. When `user(a)example.com` is part of an IMC chat, but goes offline for some reason, the MSILO module will store original MESSAGE, then generate the offline notification reply back to the IMC chat, which generates another MESSAGE with `user(a)example.com` as a recipient... This instantly leads to thousands of MESSAGE generations. I am thinking that it's a nice feature to have offline notification replies enabled when `modparam("msilo", "from_address", "sip:$rU@example.com")` is defined, but that the MSILO module could check the existence (nor non-existence) of a flag to determine whether or not it would generate an offline notification reply, so the logic would be something like: ``` #!define FLT_MSILO_DISABLE_OFFLINE_REPLY 13 modparam("msilo", "from_address", "sip:$rU@example.com") modparam("msilo", "disable_offline_reply_flag", FLT_MSILO_DISABLE_OFFLINE_REPLY) ``` Then m_store() checks that `from_address` is valid and that `disable_offline_reply_flag` is not set. --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/61

9 years, 7 months

[kamailio] db_sqlite: Core dump at mod_Init (#43)

by Olle E. Johansson

Trying to load my server in the background, the main process core dumps at init of db_sqlite Git head, os/x (gdb) bt full #0 0x00007fff8610c66a in _dispatch_barrier_async_f_slow () No symbol table info available. #1 0x00007fff8acd13bd in sqlite3_initialize () No symbol table info available. #2 0x0000000104b75ba3 in sqlite_mod_init () at db_sqlite.c:69 No locals. #3 0x00000001033bc93c in init_mod (m=0x103809b80) at sr_module.c:943 No locals. #4 0x00000001033bc414 in init_mod (m=0x103809e58) at sr_module.c:940 No locals. --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/43

9 years, 7 months

[kamailio] websocket: `tcpconn_get()` error gets turned into `E_OUT_OF_MEM` which becomes "500 No Error" (#47)

by Walter Doekes

My websocket TLS server is full of these kinds of messages: Jan 18 18:10:26 ws0 /usr/sbin/kamailio[19701]: NOTICE: <script>: http:217.120.x.x:55386: WS connection closed ... Jan 18 18:10:26 ws0 /usr/sbin/kamailio[19689]: WARNING: <core> [msg_translator.c:2506]: via_builder(): TCP/TLS connection (id: 0) for WebSocket could not be found Jan 18 18:10:26 ws0 /usr/sbin/kamailio[19689]: ERROR: <core> [msg_translator.c:1722]: build_req_buf_from_sip_req(): could not create Via header Jan 18 18:10:26 ws0 /usr/sbin/kamailio[19689]: ERROR: tm [t_fwd.c:527]: prepare_new_uac(): could not build request Jan 18 18:10:26 ws0 /usr/sbin/kamailio[19689]: ERROR: tm [t_fwd.c:1773]: t_forward_nonack(): ERROR: t_forward_nonack: failure to add branches Jan 18 18:10:26 ws0 /usr/sbin/kamailio[19689]: ERROR: sl [sl_funcs.c:387]: sl_reply_error(): ERROR: sl_reply_error used: No error (2/SL) (repeat these last errors for a bunch of attempted NOTIFY forwards) The route block does basically something like this: # add_contact_alias(); # only for requests from the outside loose_route(); if (!t_relay()) { sl_reply_error(); } The problem arises here: }else if (send_info->proto==PROTO_WS){ ... con = tcpconn_get(send_info->id, &ip, port, from, 0) ... if (con == NULL) { LM_WARN("TCP/TLS connection (id: %d) for WebSocket could not be found\n", send_info->id); The NULL failure status gets returned up to `prepare_new_uac` in `t_fwd.c`: shbuf=build_req_buf_from_sip_req( i_req, &len, dst, BUILD_IN_SHM); if (!shbuf) { LM_ERR("could not build request\n"); ret=E_OUT_OF_MEM; goto error01; } At this point, ser_error will become `E_OUT_OF_MEM` while it should be something like `E_SEND`. And `E_OUT_OF_MEM` gets translated to `500 No Error` because we're not running in DEBUG mode. What causes the connection to drop in the first place, you ask? 18:10:18.690738 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [S], seq 1323983240, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 18:10:18.690863 IP 195.35.x.x.443 > 217.120.x.x.55386: Flags [S.], seq 4077761781, ack 1323983241, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 3], length 0 18:10:18.710846 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [.], ack 1, win 256, length 0 18:10:18.808751 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [P.], seq 1:246, ack 1, win 256, length 245 ... 18:10:19.233415 IP 195.35.x.x.443 > 217.120.x.x.55386: Flags [.], ack 31348, win 5126, length 0 18:10:26.489764 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [P.], seq 31348:32473, ack 34578, win 255, length 1125 ... 18:10:26.501409 IP 195.35.x.x.443 > 217.120.x.x.55386: Flags [P.], seq 42255:42916, ack 46010, win 5046, length 661 18:10:26.527755 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [.], ack 36993, win 252, length 0 18:10:26.527860 IP 195.35.x.x.443 > 217.120.x.x.55386: Flags [.], seq 42916:47296, ack 46010, win 5278, length 4380 18:10:26.527888 IP 195.35.x.x.443 > 217.120.x.x.55386: Flags [FP.], seq 47296:48663, ack 46010, win 5278, length 1367 18:10:26.529179 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [.], ack 40501, win 254, length 0 18:10:26.529200 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [.], ack 42916, win 251, length 0 18:10:26.547276 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [.], ack 48664, win 251, length 0 18:10:26.549712 IP 217.120.x.x.55386 > 195.35.x.x.443: Flags [F.], seq 46010, ack 48664, win 251, length 0 18:10:26.549750 IP 195.35.x.x.443 > 217.120.x.x.55386: Flags [.], ack 46011, win 5278, length 0 Where you see that the FIN is initiated by `195.35.x.x` which is the Kamailio websocket server. The cause (probably) is the WS client closing the connection. In this case after re-subscribing with Expires:0. The presence server attempts to reply with a bunch of NOTIFYs with `Subscription-State: terminated;reason=timeout` but they bounce on the broken connection. If Kamailio would return a nice "477 Unfortunately error on sending to next hop occurred" it'd be prettier. Getting less "error" messages (a total of 6 *per* expired/unsubscribed subscription) after this error --which is apparently very common -- would be beneficial too. As for fixing: - We could change the `via_builder` to set `ser_error` (and check that in `build_req_buf_from_sip_req`), or - add error-code-out-parameters to all calls from `build_req_buf_from_sip_req` and down. I'm not sure if either is the best way. As for the excessive error reporting, would looking at `ser_error` before printing (another) error be an acceptable fix? Cheers, Walter Doekes OSSO B.V. --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/47

9 years, 7 months

[kamailio] modules/cdp: added src_addr parameter in peer definition (#45)

by Federico Cabiddu

This patch add the possibility to specify the src ip addr we want to use when connecting to a peer. Useful when we have several ip addresses in the same machine and we want diameter traffic goimg out from a specific one. You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/45 -- Commit Summary -- * modules/cdp: added src_addr parameter in peer definition -- File Changes -- M modules/cdp/config.h (1) M modules/cdp/configexample/ConfigExample.xml (2) M modules/cdp/configparser.c (9) M modules/cdp/peer.c (5) M modules/cdp/peer.h (23) M modules/cdp/peermanager.c (6) M modules/cdp/receiver.c (21) -- Patch Links -- https://github.com/kamailio/kamailio/pull/45.patch https://github.com/kamailio/kamailio/pull/45.diff --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/45

9 years, 7 months

[kamailio] TCP packets are Malformed (#51)

by Varghese Paul

Hi Team, Recently we upgraded our kamailo server to 4.2.1 and it was running successfuly with out any issue. We are seeing some issue with the TCP calls which are relayed from the kamilio. We have set of physical servers and the calls are distributed by checking the dispacther module. Sometimes we are seeing the TCP packets are malformed from kamilio to one server. We can see the UDP calls are working fine with the same server at the same time TCP packets are malformed. That means there is no issue with the network connectivity between the kamailio server and our media server. Once we restart the kamilio we are not seeing this issue and the TCP calls will start working with kamilio and media server. Can you help us to answer these questions. 1. Any idea about this TCP packet malformed error ?. We were not able to reproduce this TCP packet issue and we are seeing this error in our production environment. 2. Sometimes we have some errors for TCP max conn (ERROR) : 2048 (the default). We are plannig to increase the TCP connection to 4096 (tcp_max_connections=4096). Whether it will create any issue if we are increasing to 4096 or it will affect kamailio performance ?. Thanks for looking in to this. --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/51

9 years, 8 months

TMREC files

by Olle E. Johansson

There are two files in tmrec module that has no copyright, no boilerplate, anything. period.c and period.h Do you know their history? Should we add a GPL or BSD boilerplate or something? If so, please take action. /O

9 years, 8 months

[kamailio] Vseva/dialplan avp list (#18)

by Victor Seva

This closes #5 . Be aware that this needs the #17 applied in order to work You can merge this Pull Request by running: git pull https://github.com/linuxmaniac/kamailio vseva/dialplan_avp_list Or you can view, comment on it, or merge it online at: https://github.com/kamailio/kamailio/pull/18 -- Commit Summary -- * dialplan: using $(avp("key")[*]) on match rules * dialplan: using $(avp("key")[*]) on subst rules -- File Changes -- M modules/dialplan/dialplan.h (2) M modules/dialplan/dp_repl.c (356) -- Patch Links -- https://github.com/kamailio/kamailio/pull/18.patch https://github.com/kamailio/kamailio/pull/18.diff --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/18

9 years, 8 months

[kamailio] nathelper: contact_only option (#31)

by Victor Seva

without this patch nathelper build request-uri from received if it's set and falls back to contact. Now we have an option to send the Contact (that has the username part) no matter what. We used this in order to fix problems with FritzBox subscribers but seeing https://www.mail-archive.com/sr-users@lists.sip-router.org/msg13081.html maybe this is useful for everybody with @sipwise hat on You can merge this Pull Request by running: git pull https://github.com/linuxmaniac/kamailio vseva/nathelper_contact_only Or you can view, comment on it, or merge it online at: https://github.com/kamailio/kamailio/pull/31 -- Commit Summary -- * usrloc: add GAU_OPT_ONLY_CONTACT option and get_all_ucontacts_opt() in order to use it * nathelper: add contact_only option to ignore "received" field from usrloc and use contact info for building the ping message -- File Changes -- M modules/nathelper/doc/nathelper_admin.xml (20) M modules/nathelper/nathelper.c (12) M modules/usrloc/dlist.c (34) M modules/usrloc/dlist.h (14) M modules/usrloc/usrloc.c (1) M modules/usrloc/usrloc.h (6) -- Patch Links -- https://github.com/kamailio/kamailio/pull/31.patch https://github.com/kamailio/kamailio/pull/31.diff --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/31

9 years, 9 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev January 2015